The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.

***

>> All right, we're going to get started. Thank you very much for coming and I would first -- so we're -- this is the panel on proliferation, cyber stability and state responsibility. I would first like to apologize for a change in speakers because a speaker had another panel scheduled almost at the same time as the Paris peace forum. So she couldn't be in both place. And David singer had last-minute difficulties, and, of course, this all happened on Thursday night. So I would like to give special thanks to Bill woodcob and John Calista for being on the panel as planned and I would like to thank our panel savers, Bruce McConnell, and Trace Painter. We even managed to preserve diversity which was quite a challenge on Friday. And I would like to thank my on-line moderator, Dr. Alex Deforge and we apparently cannot connect to the on-line moderation. So we're happy we're here so we can have a discussion.

Our panel will address the impact of cyberarms, proliferation on cyberstability, but also examine the ethical and legal responsibilities of states in ensuring cyberstability. And it will also point to solutions to promote cyberstability and discuss the cold to protect the public core of the internet that was recently proposed by the global commission and stability of cyberspace. But also, our norms that have been proposed by the global commission which will actually be discussed in great details in our panel at 1:30. But some of them address the issues of proliferation and cyberstability as well and they all address the issue of cyberstability. So we will unveil them as well then and just some of them.

So, the reason why we set up this panel is because we all believed that the stability of cyberspace is at risk and according to what Bruce told me yesterday, we think it will get worse before it gets better. And, of course, there are many flows and vulnerabilities in the technology that underpins the global internet. But they're also in a malicious actors and other actors with capabilities that create these conditions of instability. And that includes states who are probably those who build the most dangerous and sophisticated tools, which puts the benefits of cyberspace and the future of a digital economy in our societies in generality. -- jeopardy.

We recently had a few wakeup calls, the attacks in 2016, the attacks that were really telling moments. And they showed that the rapid and traumatic propagation of malware created a systemic risk to which our companies and our societies are all exposed. And, of course, the destructive malware used eternal blue tool which is -- was developed by the NSA and exploited. A Microsoft vulnerability and then it was stolen and made publicly available.

So, we really have a diffusion problem around malware and in addition to other non-state actors' malwares and that's raised issues of accountability and liability. So, it raises also the issue of who is ultimately responsible for the security and stability of cyberspace and, of course, it will be those who steal tools from government and use them and, of course, these are to blame, but that also raises the question of what is the responsibility of the states.

And I think the attacks reveal the cybersecurity dilemma we're encountering when dealing with offensive actions in cyberspace. We recognize the cyberthreats as a new security challenge that creates a systemic risk. Because these threats are highly complex and transferred here. They can have a massive impact and they're hard to start -- to stop as we can see. So it's of everyone's interest to stop the contagion that could be disastrous.

That pulls us to greater international cooperation, international regulation, information sharing, and decreasing the number of tools. But on the other hand, we are seeing that the cyber capabilities are also used as a tool by nations and non-state actors to maintain or increase the power and information. And we very much also view cyber threats as a geopolitical threat emanating from rival powers and economic competitors. That pulls us exactly in the opposite direction of limited international cooperation and information sharing, but also in an arms race, leading to proliferation.

And the second perception of risk tends to prevail to date. It creates distrust between states and limits their ability to reach agreement on international norms of responsible behavior to ensure the security and stability of cyberspace. And therefore, in terms, it increases the systemic risk for the general availability and integrity of the internet.

So, this is the reason why the global commission and the stability of cyber space was established and this is the reason why this commission has been working on a number of norms to ensure a greater stability of cyber space and greater peace and security of cyber space. We will discuss issues with our speakers and we have a number of distinguished speakers from the global commission in addition to JO Anna, who's a professor. So, the first speaker will be Chris Painter. Chris Painter, does anyone not know Chris Painter in this room? So, Chris Painter, a globally recognized leader and expert on cyber security and policy and diplomacy and combatting cyber crime. He's been the U.S. cyber top diplomat and has been part of every major U.S. cyberpolicy for over a decade. And he's coordinated and led the U.S. diplomatic reports to advance an open, interoperable secure and reliable internet. And many other things that I will not detail here.

We have Bill Woodcock who's on the commission and he's the executive director of Packer Clearinghouse, an international nonprofit organization that creates infrastructure including internet exchange points and the core of the domain systems. And following Bill, we'll have Joanna. She's a professor of international governance at the university Hel ho tz in Poland. She's also a member of the scientific committee of the EU from the fundamental risk agency and she serves as an expert on human rights on-line for the council of Europe and the European commission. She's also involved with the European cybersecurity dialogue and she's done some research work for the global commission on the stability of cyberspace.

Next to her, did I pronounce this right? She is the executive director of the association for progressive communication which is an international network of organizations working with information and communications technologies to support social justice and development.

And prior to that, she was the executive director of Sangunet, an internet service provider and the civil society, labor, and community organizations and she helped to establish e-mail and intra net connectivity in southern Africa. Bruce McConnell, the co-director of the global commission and the global Vice President and acting, what is it? Chief operational officer of the East-West Institute, which means he is the -- the East-West Institute's relationship building and buildings around the world and manages the Institute in cyberspace initiative. And they opened an office in San Francisco and before that, he was a leader of the cyber security mission at the U.S. department of homeland security and became the deputy undersecretary for cybersecurity in 2013. So maybe we'll start with Chris.

>> Chris Painter: Great to be here today. Back at the IGF. I want to address a couple of things in my remarks. First, what are the threats we're facing? Why is stability important about the role of the commission?

So, as was mentioned, we're in an unstable environment. We have a number of different actors, states, virtually every state who can is developing cyber operational capabilities, for instance and they don't really have much doctrine or rules around that. That creates instability in itself. And we have criminals who have been around a long time but certainly not laying down on the job. They're becoming more sophisticated in transnational. And we have major vulnerabilities in software which itself creates and is exploited by bad actors and create other problems and disruptions.

And, you know, we do have a number of things we've seen in the last year that high light that certainly the worm and the effects it had on places around the world which was attributed to a nation Stade by a number of countries. The one also originated from a different nation-state. We had hybrid threats we hadn't thought of before. When I was at the state department, I was focused on the kind of big potential attacks on infrastructure we're worried about and still worried about. We've seen the testing. Prepositioning of malware and electrical power grids in the U.S., attacks in the Ukraine. So that's not just a theoretical worry that something that is substantial. We have concerns about the integrity of information and how that might make it even more difficult for us to trust the systems that we use every day. We've had a range of different things that we've seen in the last year which are very troubling. And it -- you know, we're in an environment where there's been an unprecedented nation-state, criminal activity, but that's an environment where it's unclear, the rules are unclear, or not embraced by everyone, to the extent that there are rules there. And where accountability and consequences for bad actors is uncertain. So that, again, creates more instability and uncertainty.

Now, none of that would matter much, frankly, if we were not so dependent on technologies for everything we do, we are. That's only going to be more dependent on the future. Things like the internet of things and how we use the technology for everything in everybody life. We become more independent, more vulnerabilities, more attacks, great er insecurity. Security is supposed to be the platform so you can have the good things, so you can have the social interaction and promotion of free speech. So you can have economic growth. We won't have these things if we don't have a good stable environment to base them on. So, stability is very, very important.

States have a role in this and a responsibility. That Russia, China, the U.S., different states from different places agreed. Why did they agree? It's in their self-interest. In peacetime, you don't want those attacks. In wartime, there are rules like international humanitarian law. And in peacetime, it's not clear what the rules are. So there's self-interest there. Or don't attack the computer emergency response team. So there's been good work on norms there because states have an interest in the responsibility.

In the U.S., interestingly, there has been a new strategy that came out for cyberspace that came out a few weeks ago. And that had in it, which I thought was very interesting, it really built on what's gone before. It's not a real new strategy. It encompasses a lot of prior work built on it. That's a good thing. That shows stability. But it talked about we're better together than we are alone. We're better acting together to combat the threats than to deter the threats. It sounds really collaborative, that's important in this area. John Bolton rolling out the strategy using the cyberabilities increasingly something I call saber rattling, which is a distinction between the cooperative approach of strategies. A lot of nation-states talking about what they're doing in cyberspace, developing their capabilities. They will, they should, also without real clear understanding of what the context is, what the rules are, that creates some problems.

So, enter the commission. The commission I submit tonight is unique. Because, there's been a lot of government work, there's continuing government work, just because Friday -- just because a couple of days ago in the U.N., they agreed to have another one of these groups of governmental experts and an open ended working group. So they had a Russian and U.S. resolution and decided to use both. There's going to be a lot of work to look at the issues, the norm issue, the confidence measuring issues, the stability framework, which is good. You have that. There's a rule for other stakeholders too. I'd say all stakeholders, including governments, the private sector, and civil society, have a role to play in achieving a stable cyberspace environment and all should have an appropriate voice in achieving that goal. They come from different perspectives and different powers, but the unique thing about the commission is the former government folks, the civil society, all you know civil society is not a model. So it's a very different thing in civil society and academia and others and private sector coming together. People have a lot of experience to look at the issues and are consulting with the wider stake holder communities we go for. We make good progress in doing that.

And the commission's goal is elucidate norms, initiatives, and other measures to promote the stability of cyberspace. When I think of that, it's the achieving and end goal, everyone can use this technology freely and together. But also maintaining that goal through incentives to cooperate and disincentives to disrupt. All of that hangs together.

We've been working on that for quite sometime now. Often in terms of what the rules are, and ultimately what the responsibilities are going forward. Some of these -- I don't know if we'll put them on the board or not, we have a number of norms we've done. Bill will talk to some of those. We have a number of others that we released the other day, including another country having a vulnerabilities equity process. An important thing for stability, countries for security and other reasons will maintain certain vulnerabilities to make sure they can do investigations which help if you're attacking the criminals and bad elements out there. But the default should be disclosure. That's something we came to.

Or that for instance, manufacturers of software responsibility to put security first and make sure there are a minimum number of vulnerabilities. We're in an interesting inflection point now where we look to the broader context of what are the stability framework? What are the principles that underlie this. There's a lot of work to do. I look forward to that. It's been a great group of folks and we look forward to continuing when engaged with all of you.

>>

>> MODERATOR: Thank you, Chris, Bill, would you like to support the norms?

>> We're at the point at drafting norms to encouraging their adoption by states. The first one, the main one that we were originally called together with the goal of drafting is the one you see on the screen now, noninterference with the public core. The text of it is right there in full. It is brief and to the point. Basically it's just saying that states and non-state actors should not attack the public core of the internet. So the phrase --.

In the public core of the internet was used intentionally as with neologism supplied by the Dutch government and the research they had done leading in to this process.

The phrase critical infrastructure is one that everybody uses, everybody believes, what means and no one quite agrees on the meaning. You can't have a meaningful norm that references critical infrastructure because it becomes unactionable. We needed a new phrase to reference that could be defined such that the definition would be something people could agree to rather than arguing over the term. So, next slide?

So then we spent a little longer working on the definition. This text is the lead-in to the definition. Basically we were able to agree during the process to four areas that were protected out of a much longer list that were recommended by experts. We divided this between the critical infrastructure of the internet itself, core routing, internet exchange routes, and so forth. And the ICT enabled and internet accessible aspects of traditional critical infrastructure.

So, for instance, the portions of the healthcare system that are computerized. The control systems for nuclear power plants, air traffic control, things like that. We're able to come to an agreement on the protection of the top four internet category, but none of the traditional categories.

Next slide? So, the first one, Packet routing and forwarding. This is the core routers of the internet. The exchange points where the bandwidth comes from. And the paths from those exchange points to the users of the internet. This is protecting the layer two and layer three routing and forwarding. Routing is layer three in the iso protocol stack, forwarding is layer two in the stack. This is the path by which people communicate but not the tools that they use to communicate or the services that they're reaching over that.

Next slide? The naming and numbering systems, the IP addresses and the domain names that are used to find things on the internet. Having the physical infrastructure there and accessible doesn't help you if you can't reach anything through it. So, the IP addresses that computers use to talk to each other and the domain names we use to find those computers, are also protected. Next slide.

The cryptographic mechanisms of security are the software tools and algorithms and the protocol development processes that produce them that give us privacy on the internet. And give us the assurance that we're talking to who we think we are talking to. This is what allows you to do on-line commerce, on-line banking, and to digitally sign messages and to engage in encrypted protected communication. Next slide?

The fourth and final area is layer one, the physical transmission media, but noting that all of the wireless stuff is not included. So this is the physical cables. If your bits are travelling over copper or over fiber, they are protected. I hope that in the future, all of this definition can be expanded a little bit.

So, next slide. We are leaving the door open to expand ing this definition in the future, including more of the things that the experts told us should be protected. I think there was a feeling by some of the diplomats from the countries that do engage in offensive operations that the -- they wanted to minimize the constraints they operate under. So there's been a bit of a challenge in getting the experts' recommendations adopted.

Next slide. So, with that main bit of work done and out to governments to adopt, we went on to do a series of other Ince lair norm -- insulary norms that surround that main one and provide additional bits of protection or clarity for different purposes. So, one of those is the norm to avoid tampering.

So, this is talking about, for instance, the NSA's attacks on Cisco systems. So the U.S. government intercepting Cisco routers in shipment, in the supply chain, and tampering with them to add bugging devices. This is an interception of the product from a private sector actor to another private sector actor that is going to be become part of the core internet infrastructure and contaminating it by a government. So this norm addresses those issues. Next slide.

Next one, the norm against commandeering of devices. This is basically saying that governments should not attack your personal devices, your watch, your thermostat, your automobile, your pacemaker, and use them to -- to attack other parties. It's not saying that law enforcement doesn't have the right to break into the laptop computer of a criminal. But what it's saying is that militaries do not have the right to appropriate the public's devices in general to create bot-nets to attack other people. Do you want someone else to --

>> You can go ahead and -- unless you want to present something?

>> All right, you want to do the rest of them or -- Bruce?

>> Okay.

>> I'll go through the remainder quickly, then. Next slide?

So, the equities process that Chris mentioned, vulnerability equities is the euphemism that governments use for what the rest of the world calls hoarding of vulnerabilities. This is when governments buy 0-day exploits from blackout hackers and keep them secret and then use them to create offensive weapons.

The norm out there in the world right now is that when an exploit is discovered, it should be reported to the parties that have the power to fix the problem, right? So, if the problem is in a piece of open source software, the norm is that it be reported secretly to the publisher of that software. And the timeline agreed to between the person who found it and the person who's going to fix it, and that the person fixing it has to get the fix distributed by that bedline and the person who found it is then welcome to publish about the problem after the deadline.

Governments on the other hand would like those vulnerabilities to be sold to them or given to them so they can exploit them for offensive purposes. So, the vulnerability equities process is the balance between the desire for non- offensive use versus the desire for offensive use.

Next slide. Norm to reduce and mitigate significant vulnerabilities. This just says everyone should take reasonable steps and precautions in developing tools to not let them out into the world with significant vulnerabilities already included. Next slide.

This is sailing basic cyberhygiene is necessary in order to make the world a better place. This is the -- so there are germs in the world and washing your hands is good. Next one, norm against offensive cyber operations by non--state actors. It means not only governments shouldn't run around attacking people, but also the private sector. Because obviously both do happen and that governments should take appropriate action within their realm of sovereignty to prevent private sector attacks.

So, for instance, if there is an attacker in Brazil attacking someone in Germany, the German government doesn't have any leverage to protect their citizen, the German victim doesn't have any leverage, only the Brazilian government has the necessary leverage to stop that attack, therefore, we need a norm for governments to take that necessary action even if the -- the victim is outside of their own borders. Is there another slide? Okay.

>> MODERATOR: Thank you very much. And now Joanna will address more specifically stake holder responsibility with regards to international wealth.

>> Thank you.

>> MODERATOR: Thank you.

>> Thank you for the invitation and allowing me to speak on international cybera attacks. I'm a newly appointed member on the advisory committee. I am happy to discuss the work we've done for the commission. They've been kind enough to announce the purchase of the reports.

The report was on the first -- that it referred to. The -- the public core. And I would like to however discuss the norm that was just mentioned by bill here. First, let me start with the obvious. What I do when I work, I try to use international developments for cyber stability, cyber security. So the obvious fact we all know is that international law does not allow to hold states responsible for the actions of private actors. That's why we're all here. We mean to indicate that a private actor was acting on behalf of the state authorized by the state under its control. Since this is very difficult, we, the international community, are trying to find a way to prevent cyberattacks with the use of cyberweapons by private actors.

I believe that international law has a tool to offer to account that -- take that challenge. International law foresees for an obligation to prevent significant can't transboundary harm. There's been volumes including commission on preventing transboundary harm.

When referring to the work of the commission is the protection of the public core and other political infrastructures. There's little to argue against the fact that those elements, critical infrastructure, the public core of the internet, when interfered with, will cause significant transboundary harm. With that, the lessons learned from international law and significant transboundary harm can be directly applied to all the instances we've been discussing here -- the use of malware included.

Now, the standard of preventing significant transboundary harm is focused around my favorite principle, the principle of due diligence and I've been granted permission to discuss due diligence. I can go on for a long time. Since the time is limited, I will not do that. The principle of due diligence includes nine elements, out of which, let me mention a few that I find are significant here. Due diligence implies there is a theoretical model of good government. We try to understand what a good government would do in a particular situation. And our given situation, it would do its best to prevent a transboundary attack or the use of malware or cyberweapons. This is not an obligation of result. This does not imply that the state needs to effectively prevent that attack. It just needs to do its best. Now, this notion of due diligence is limited to the economic state of that particular authority to the political situation, etc., etc.

I will try to frame that standard in more detail as we move on.

When I look at the work of the international commission, the standard of due diligence implies also that this is a continuous obligation. So it's not something that the state can do and forget about. Rather than that, it implies the obligation to monitor the state of affairs within states jurisdiction. Usually this implies just the territory, but it does not necessarily have to be the case.

The principle of due diligence is linked to neighborliness. What would be expected of a good neighbor. What would you do to prevent harm if it attacks our vital interest. We reflect the level of development of a particular region or state on to the obligations of that state.

The commission mentioned here in a number of months the word "allow," a state should not allow particular activities to take place. I believe that this wording directly reflect s this obligation to monitor the jurisdiction of that state for potential malicious activeities.

The obligation start where is the activities become clandestine, when they become hidden. So even if a good government is acting diligently will not be able to discover them, that's where the obligation of due diligence stops.

How do we enforce this obligation? This is something that the commission mentioned in a number of times. This obligation is fulfilled where relevant national laws are enacted, that's one of the latter principles that bill mentioned here. We expect states to introduce national laws that would set a standard of care enforceable against private actors. We look at the European environment with just welcomed a few years back, the network and security directive. And that's exactly this. That's a standard for cybersecurity.

Now, we struggle with the proof. The good thing about due diligence is you don't need proof. You can only show the state was below the expected level of diligence. I find the work of the commission tremendously helpful because I strongly believe it does set abinternational standard for cybersecurity due diligence, all of the details that you just heard that Bill just explained and all of the background that Chris presented here, I believe, strongly contributed to interpreting the international norm of due diligence for the purposes of cybersecurity.

So, the package that you've been presented with, to me, is understanding, a contemporary understanding of the well established principles rooted in the law of international liability. Thank you.

>> Thanks. And just for the record, I'm no longer executive director for the association for professional organizations. I stepped down last year. I'm a member of the commission. But I think Fredericka has asked me here to express what sources used and concerns are around the issue of proliferation and responsibility. The civil society, of course, is not homogenous, but I think there's a significant number of civil society organizations who fundamentally believe that this offsetting between security and rights is not the way to create a secure cyberspace or environment.

The more there are protections for rates, particularly rights, the right to privacy, the more secure the internet actually can be. That's the first thing. We challenge the supposed contradiction between security and the protection of human rights on the internet.

Secondly, I think we asked the question, whose security? We feel the debate s around signern security is focused on the security of states, not on the security of users or content or systems. And that there is this national security and often a counterterrorism paradigm that's being imposed on the discussion of how to secure a global, interconnected cross border network where data flows and information flows and user relationships that cross all kinds of boundaries. And we feel that many of the efforts by states to establish security particularly should national cybersecurity legislation fails. Why does it fail? Because it's not focusing on protecting users and too little provision for addressing cybercrime and preventing crime, data breeches, and too much focus on empowering states to survey the user communications, survey data. And intercept and monitor what people do on the internet. This is solid due process backing that creates a more insecure internet than a more secure internet. I think we feel there really is an environment of uncertainty hat the moment. In this space. I think there's a sense that states are often not to be trusted to really effectively secure the internet. As has been said already, many states are investing in cyberoffense capacity. That's not something you feel they are particularly responsible for or should be doing.

We also feel there's just this constant evidence of lack of due process in surveying, intercepting, and monitoring. And you have the internet business model environments which creates uncertainty. It's very hard to trust what happens with your data and who's using it. And every now and then there's evidence between complicitness between states and companies. And I think as the commission on laws, you will notice on norms always say state and non-state actors and we quite consciously start to address both states and non-state actors. I think certainly that's implied. Also the complicitness between them that has created more insecurity. So the other concern and uncertainty we feel is at the level of process. That was a Freudian slip. We feel that cyber security processes are not inclusive. On the IGF, we talk about the multi- stake holder process. But the development at the national level in many countries is not an inclusive process. It's not a transparent process. We also see cold war patterns where governments are encouraging developing country states to develop cybersecurity legislation that is similar to those you see bilateral treaties between countries like China has several bilateral treaties with countries in Africa.

You have the Africa initiative, the Africa convention on cyberconvention and cybercrime and the data and protection is not given the time and attention that it needs to develop regional cooperation that might be flawed in some ways but it's a very solid basis for a regional approach. We have a weakness in process. It's not sufficient cross border international cooperation, not just among governments and other non-stage actors, but also between governments, this insufficient cooperation. So, yes, so, in -- in short, we feel that this -- in this current framework, state responsibility is not being adhered to in the context of international law as we understand it, particularly not in the context of international human rights law. We state the duty bearer for ensuring that individual rights, not just citizen rights, individual rights are protected. And frankly it's a concern that there isn't a strong voice coming from states against developing cyberoffense capacity.

>> MODERATOR: Thank you very much. And finish with Bruce before we start the discussion. You have just come from China. You probably have a different perspective.

>> Thank you very much. Can we go back to the first slide of public core norm. As Fredericka just said, I just came back along with my colleagues here, Chinese colleagues, in the fifth world conference in China, a little west of Shanghai, a beautiful place. So, I wanted to bring you in to this conversation sort of a report my impressions with my week of discussions with many Chinese think tanks and officials from the Chinese government from the cyberspace administration of China which is kind of the cyber coordinator. If you will for China and for the ministry of foreign affairs.

I have two observations from those conversations and I have some conclusions or an assessment that come from my, you know, musings, if you will, after having spent this week with my Chinese friends and people from other countries as well.

So, the first observation is that which I think was agreed to by almost everyone that I ran into anyway and talked with, is that cyber security and cyber stability is no longer about cyberspace. It's no longer only about cyberspace for sure. It's about everything we do in our lives, everything we do from getting up in the morning to going to bed at night. And you know, it's about Alexa. And in China, it's particularly about electronic payments. So, in some parts of China, paper money is out of use. Everyone is using their phone to pay for things. Amazingly efficient and effective but way beyond what we have in the United States certainly or in Europe.

So, I think the -- there's a realization among the cyberconsignenty like all of you that this has gotten more significant. We need to do something about it. Because we're likely without doing something having a really bad day and have some kind of cyber Hiroshima and nobody wants that. And we don't and can't use the cold war model of mutually assured destruction which is what kept us from all Parishing in a nuclear winter. Because we're in a multipolar world. It's just not -- that kind of standoff doesn't work. Too many actors.

That's the first observation. The stakes are existential, not just interesting. The second that was widely agreed and in fact the senior Chinese official said this is we have a consensus -- we have a consensus about the norms. We can talk about the wording of them and the applicability of them. But -- among countries, there's what should and should not do. What kind of behavior is acceptable. Which is not. We should not attack the public core, though this norm of the commissions like all of the commission's norms is -- is limited in its applicability. So it starts out saying we shouldn't attack the public core. But it doesn't say that. It just says don't attack it so badly that it affects the stability of cyberspace, right? So you can take down a cable, an undersea cable as long as it has limited effect. And it's about scale. The commission recognizes countries will use cyber weapons and there are limits on the kinds of scale of the attacks.

This is a general consensus. We've seen it in the group of governmental experts in the U.N. You hear it from the commission. We are -- states should be responsible for their own malicious activity. The principle of due diligence. We shouldn't attack critical infrastructure, international critical infrastructure, that includes the international finance system. Shouldn't attack each other's incident response facility s. And there's a broad set of consensus around that. So I think that's interesting.

And this leads me -- and it's kind of reassuring in a way that there's a broad range of consensus around that on a global basis. So this leads me to my observations about this. Yes, the stakes are big. Everybody would agree we have a consensus about what's reprehensible -- what's the problem then?

We're not having the right conversations around this. So the traditional approach to dealing with this is we should have consultations, we should have dialogue with each other. And so we have those. And so the diplomats get together and they work for, you know, over 15 years at the U.N. to come up with norms that people generally agree with. The cyberdefenders get together. And all, I figured out, this is what we should and shouldn't do. They share information to some extent. Although those efforts are difficult given the larger geopolitical situation.

Industry is getting involved, so the Microsoft-led tech accord which has a lot of norms in it that 60 or more companies are involved in and similarly the European companies under the leadership have come up with the charter of trust. NGOs are with us in conversations as well. You know? Not everyone is in agreement or anything but in general, we're all talking about this. And, yet, we wonder, well, how is it that norms actually develop? In environments, right? Do they come down from pronouncements from diplomats? Actually, no. That's not how they work. They develop from the bottom up in the certain way. They develop from state practice

So, traditionally, whatever states do turns out to become kind of the norm. And if you look for example at the norm and ultimately international tree -- ultimately international treaties and laws against chemical weapons. States used chemical weapons. Here we are at the armistice of what they called the first -- of what they call the great war. And chemical weapons were use in that in the trenches. And people realized this is not a good way to fight war and states agreed not to use them. Now, obviously, the treaties were violated, the norms are violated. But without them, there would be a -- it would be the wild west like we have in cyberspace.

So what happens generally is that state practice defines the norm that ends up arising and becoming acceptable practice. That could lead to agreements and rule us and laws, stuff like that. What is state practice today? States are not following the norms that we've been pronouncing. Right? States are conducting offensive operations on each other, on each other's critical infrastructure. They're conducting them through military means and they're conducting them through the intelligence community. And the boundary between intelligence and military actions or activities very quirky in cyberspace. And, so, this is why I say we're having the wrong conversations. All well and good for all of us in here to talk about these things and agree on them. But, in fact, we need to be talking to the people with the capabilities, the military intelligence communities. So my advice to all of you and to myself is to, you know, take a soldier to lunch, have coffee with the spy, and talk to them about this and say, you know this, is a big problem. This is getting beyond, you know, interesting, the consequences and the stakes are extensible. You -- extensible, you need to be more careful with each other if you're talking to each other.

>> MODERATOR: You mean those people talk? Bill wanted to react?

>> This is very diplomatic. When he says states are not abiding by these norms, what he means -- sorry, what I would elaborate upon that, sorry, not to -- there are six states that are not following these norms, three large ones, six small ones, the three large ones, U.S., China, Russia, the three small ones, Israel, North Korea, and Iran. There are 190 other countries in the world have no problem with these norms and follow them. So the question is how can we get that recognized in diplomacy? How can we get the cost of violating these norms made significant enough that those six countries will abide by the moral guidelines that the rest of the world already adheres to.

It is worthy of understanding that in as much as militaries believe themselves to be guided by ethics, those ethics are rooted in the notions of no man's land and the high seas, right? That this notion that two militaries can go at each other in no man's land or in the high seeds. In an area created by nature where no people are. There is no area create ed by nature with no people on the internet. Everything on the internet was built by, at the expense of and for the use of and maintained by the private sector. There is no no man's land on the internet. There is no high seas on the internet. There's nowhere where states can conduct offensive operations that is not principally against the private sector, right? So this is why there's not an ethical justification for offensive operations in cyberspace, particularly not one that can be traced back to some military notion of the right of states to beat on each other out to where nobody cares.

>> MODERATOR: Chris as well and maybe Joanna after can give you some ideas.

>> I disagree with Bill. Bill takes a narrow industry view of this. There are rules in the cyberspace, there are rules in the physical world. People say cyberspace is so different from the physical world, that can be stabilizing. The fact is in the physical world, the private sector individuals own land, railroads, and other things. Those things get attacked. There are rules. There's international humanitarian law. That's what brought us safely to this century. We can't take an anti-state view because those are the parties in addition to others we're trying to recruit to actually accept these rules and abide by them. States don't abide by rules in the physical world either. The invasion of the Ukraine, treaties, other things. There need to be consequences. So part of this to me is not just coming up with a set of proposed rules, rules of the road, but also to think about what the accountability aspect means. We haven't touched on that yet.

States are looking at this too. States have done a terrible job at accountability. I'd say there's been little consequences for bad actions and we need to do a better job at that. The other point I would like to make with respect to some of the norms, our norms against noninterference doesn't prohibit states from doing everything. They can do targeted -- targeted things with respect to products and the supply chain, which they will continue to do for law enforcement and other reasons. It's really affecting the larger infrastructure. Worried about the real destabilizing nature of it. And the final thing I'd say is -- because we have to be realistic frankly. States will develop capabilities. We need to come up with the understandings of how we can minimize the damage of those things. And I say how I disagree -- if you know they're a spy, I guess, maybe not necessarily take them to lunch. But I see there's a group of cyber cognisenti who travel from meeting to meeting. We had the 10 cyber events like the cyber tribe. They went meeting to meeting. We're at different events. We're the same people there. The people who need to know are not often the people in rooms like this. They are the foreign ministers, the leaders, the national security advisors. Some of them are across town at the Paris Peace Forum, a panel there that would be helpful. We need to main stream the issues that they understand it -- I see the consequences as a view of this issue as too technical. It took seven months to attribution the last bad acts. Those weren't followed by consequences. If we want to do that right, we have to move the timeline quickly forward.

>> MODERATOR: Thank you. If you want to reflect on this, I'm interested in the issue of accountability and you mentioned the discussion that we don't at all is whether the U.S. governance shares responsibility for what happened? Because it was a tool given by the NSA that was stolen. And so how can we work -- I mean, how can we establish or maybe shared liabilities or -- what happens at work? -- how does that work?

>> Very briefly. The principle of due diligence implies, to address your question first off, in a you need to secure your jurisdiction, the individuals within that jurisdiction, private actors, especially if there is information that can be potentially harmful to other states. And in that sense, I would perceive the obligation of that state to keep the information that you mentioned here secure, the software that might be potentially harmful. In that sentence, due diligence might be applied to the states which fail to effectively protect any kind of substance. And this is an international principle that may be internationally harmful to it under states.

Another comment I wanted to make was in human rights. I was asked to speak on the state's responsibility. I stuck to those instructions. I appreciated your feedback on human rights. Let me observe that due diligence applies to human rights as well. We have a lot of work down there. We discussed the role of states here, the international responsibility, state responsibility and international reliability. What is unique in this venue we are here now is the multi- stake holder model. It's been emphasized, I think I mentioned this briefly, but there's a lot more to be said about the potential that the multi- stake holder for cybersecurity. We tend to focus right now, and Chris and myself have participated in a conference last week where the focus on the cyber security impacts the role of states. So we focus on cyber security so much that we think it's just the domain of states. It is not. States will not be able to protect us effectively alone in cyber space because it's a multi- stake holder environment. We understand it does not emphasize this room here because we come here as multi- stakeholders ourselves. But when we look at international law making, and this is something that the commission addressed perfectly as well, it's not just about states, it's about civil society, as diverse as it might be. The proposal for a cyberpeace convention is not coming from the states, it used to a decade ago. Not coming from the states now. It's a privately led initiative. So we look at the circumstances of making cyberspace more secure. I think the multi- stake holder model and the building that Chris mentioned here as well is not to be underestimated, thank you.

>> MODERATOR: Going to take a couple more reactions. Yeah, just a second. Just to let you know, after the reactions we'll move to questions with the audience so if you want to prepare questions for the panelists.

>> I do want to hear what people said. Just to add, I think Chris -- I would say take an engineer to lunch. I think there's far too -- Bill mentioned the private sector and the role of the internet. What about the technicians, the technical ability, the people who design and maintain day-to-day security. Are they sufficiently part of the process? But just remember, whoever you take to lunch, somebody is going to know about it.

I just wanted to mention one more point about states. I think I completely agree with you. It isn't just a state responsibility. But there is a level of state responsibility and there is a need for collaboration. One thing I haven't heard in our conversation is looking at the different levels of capacities in states. And in my experience, and I know the people in the audience, who worked with developing country states, particularly in Africa, is that they lack capacity and they panic. And they feel that this is a huge priority that if they don't take measures, if they don't develop quite restrictive national cybersecurity legislation, that they'll be vulnerable in some way that they don't necessarily fully even understand. And this panic produces an approach to cybersecurity that I think that doesn't -- that's not inclusive but also doesn't actually look at what are the fundamental building blocks, the human capacity the institutional capacity that you do need at an international or regional level to ensure day-to-day security of content of communications, of systems, of transactions, and the use of the internet. And that leads to the very top-down and quite restrictive and human rights violating type of legislation. And far too focused on the national security approach. I just want to emphasize that. And where the work needs to be done, building the capacity of law enforcement agents to deal with data breeches, to build with cybercrime and follow due process and fearing that, little focus on that level.

>> MODERATOR: Anymore reaction? Questions from the audience. Can you introduce yourself before asking your question?

>> AUDIENCE: Sure, hi. My name is Sedrick. And just to put all my cards on the table. I'm from Israel. One of the six states that you named. I wanted to react to the statement that there is like six states on one side that don't abide by norms and then the whole world on the other side that does or wants the norms. I think it's an oversimplification to present it this way.

First of all, there's a lot of democracies that value the rule of law and that value security for the citizens that are developing cybercapability is not because of some drive to weaponize everything but out of real legitimate security concerns for their citizens.

A second distinction is that I think Chris Painter a little bit too is this distinction between norms and law and the UNGE of 2015, the report makes that distinction very clearly. Norms are voluntary, non-binding. You could say aspirational, where law is law.

Now, the challenge is that in cyberspace, the applicable law, international law, sometimes it has the principles that are certainly applicable. And the challenge is how we translate them. But the states like Israel, U.S., the UK are committed and bound by international law and they do measure their actions in -- in, you know, live in that framework. And to say that there's these countries on the one side that it's just a free for all, it's not the reality. And states are moving in the direction of clarifying what international law says in these things. So we saw, for example, a few months ago with the UK attorney general in a very important speech. They gave the contours of what in the UK's view would be the applicable principles of international law and how they would see them applying in practice. So we are moving in that direction. But that's a very different conversation from the norm discussion, I think.

>> Thank you very much. Before we move on, do you have any discussion?

>> I think there's a hypothetical difference between developing offensive tools as a deterrent and not deploying them. And not allowing them to fall into the hands of other bad actors versus creating these, using them against the private sector, and allowing other people to walk away with them outside of their control and also use them against the private sector. Right? So this is the distinction that I'd make. I'm not saying that no one should ever develop an offensive tool. I would rather that were the case. But I recognize that's unrealistic. The distinction I'm making is between the countries that are developing them, are using them, and are allowing other people to walk off with them or are selling them. Right? Versus the countries that are not doing those things.

>> I agree with Bill, there should be better control over proliferation. That's something all states -- not just those six states, many are developing cyber capabilities. Many are developing them without any framework at all. Many of the countries, especially the democratic ones, have frameworks around them. We're doing a good job of letting them proliferate.

And I agree, many of the countries, the democratic ones do try to follow international law. I know from being in the government, there's a lot of discussion to make sure they're doing that. The cybercapabilities are going to be used as part of the larger tool kit but you have to be careful of the escalation in using them.

The last thing is I'm not sure I agree with the concept that state actors are presently causing the most damage in cyberspace, and the most dangerous actors. I think they are potentially the most dangerous actors. There's a sense we've seen a lot of activity recently, so they're the most dangerous actors.

If you add up the damage from some of the big events, you know, other things over the years, it still pales in comparison to the criminal exploitation to vulnerability s for other purposes. Back to Henrietta's point, that's an issue we need to focus on too. We should not lose focus on other issue us and threats.

>> I guess -- go ahead.

>> I'll respond to my colleague's comment about states. So I agree that the damage is less. You know, Maersk was a big deal and cyber crime is a bigger deal, it's every day. The standpoint of stability and miscalculation, states are the larger problem.

>> I guess it depends on b how you define dangerous. A question here and a question here. We'll take three questions and get answers. Introduce yourself.

>> AUDIENCE: 2 ministry on the political -- arrived from New York first of all, thank you very much for quite interesting dialogue. For interesting discussions. Well, let me just bring smaller remarks. Norms, rules, states behavior. First of all, there's no rules in the world. All of the reports taken from 2010, 2013, 2015 produced only recommendations of the actions of the states. So, the world right now, that's the only recommendations. Not approved by the general assembly.

Word going right now last week, Chris mentioned the two -- were adopted by -- produced by the Russian federation and by the United States of America. 20 years, Russia was the first country to spent this topic in the U.N. general assembly. So when we had a conversation with our American partners in New York, there was no consensus and our American delegation told us precisely that we didn't know -- we didn't make any rules at all in the cyber sphere. That's two weeks ago in New York, precisely. So, the draft of the Russian -- that's adopted by the -- precisely. Well, focused on two main issues. The issue number one, the draft for establishing the U.N. open-ended working group. This so to address as a priority three crucial topics. Applicability of international law, there's no international law, unfortunately, and assistance to building the countries in ensuring cybersecurity. Draft records with the basic norms of behavior of states in cyberspace. All together, there are 13. As soon as the general assembly adopts our draft next month, probably legally we will have these rules. The initial -- the initial list of the rules.

So we would like to invite the organization to participate in the open-ended government -- let us present not only by Russia, but there will be 33 co-sponsors of the draft. Let us work together. Thank you.

>> MODERATOR: Thank you. Any other questions?

>> AUDIENCE: My name is Vinny -- I'm the Vice President for U.N. engagement. My next question would be exactly what our Russian colleague said. But last week the United Nations general assembly committee discussed two different resolutions, the Russian sponsored one and the U.S. sponsored one. The question for the global commission would be how the work that you do would contribute to the fact that now there will be an open-ended working group and a governmental group of experts at the U.N. in the next couple of years? And do you think that your work kind of helping both of those groups or could their work help you. Can you give an idea of how you see this coordination? Thank you.

>> MODERATOR: A question here.

>> AUDIENCE: Good morning, I'm from the European union delegation to the U.N. in Geneva. My question is actually almost the same as two previous questions, it also relates to the UNDGE work in New York. And considering that we will have now two working groups working on this topic, can we really say that we're sure that we have this global consensus on what the norms on cybershould look like? Thank you.

>> So, Chris?

>> So, I did mention that there were two competing resolutions. I would take issue. I doubt the U.S. said we don't need rules in cyber space. The U.S. thinks international law applies in cyber space. That's an important preaccept. They think the norms, you know, the work that the commission has done, we're not going to get to binding rules right away. We have to think of the norms, then we have to get acceptance and people say yeah, that's a good idea. And beyond just those groups, they have to be broader than that. In the GG, the work was endorsed by all of the U.N. members as something to take forward next year. That's important. Even though those have been the products of experts, they've been very useful.

I think when people have suggested having a treaty for cyberspace, that often deals with content issues. There are states with different views of content that they think that itself is destabilizing, that's not the view of other states. So, I think having norms and trying to get socialization of norms and building upon that and getting acceptance, those understanding, we're in the young area, the beginning area. The point you made and it's it's always good to see you again. We used to be on the G-8 back many years, Vinny, Guoed to see you too. The point several raised is how this open ended work in GG will work with our commission and what our aspiration is. I can't tell you for sure how this will happen. Aspirationally, it will be great if we can have a connection with both of those group us and others because one important thing going forward is for states to actually see value in our work and to accept some of our work. So I hope that we can forge a symbiotic relationship between the work of the commission which I think has the value of bringing together the various stake holder communities on the issue that the placeholder communities don't normally collaborate on on international peace and security. I think there's value to do that. I think there are opportunities to do that as I read the resolutions. That's something we want to do. That's what our commission wants to do. I can't speak to all here, but I think that's probably our consensus.

>> So just a couple of things on the process point of commission. So the commission is finishing up the second of three years. So we will go out of business next year. And so I think it's -- it's good that some other activities are going on. We're represented -- our -- the secretary of general of the U.N.'s high-level panel about digital future. So we're participating in that. And I think throughout our work, we have attempted to understand and align with emerging diplomatic agreements. Whether they be norms or rules. We continue to do that.

We're happy to hand the ball off to the diplomatic community to get it nailed down and solved and put into international law. They can do that. And you know, that's -- we -- it turns out that the difficulties that it was handy to have the commission in place to keep the ball moving, so to speak. And we're happy to see these other efforts getting going again also. Although -- especially since they're more open to broader participation than previous U.N. efforts have been.

>> Yes, in response to Vinny and the other question, we're encouraging the processes are starting again. We started a work as a commission, it felt as if there was going to be did lock. -- deadlock. So this is very positive. And I think as Bruce said, we can keep the ball rolling, but I think we do more than that. And I think we bring in the perspective of non-state actors and the builder approach to just that's implied by the corporation between states and state's responsibility. And I think what I would urge these processes to do is to work in a more inclusive way. It's impossible for states to effectively be accountable. And -- and be responsible and the state actors in exclusion without really substantially working with a technical community, bringing in society and business. So I think these processes should more consciously than previous processes create space, ability of participation of non-state actors.

Secondly, I think really importantly, to recognize the work that's done in other parts of the United Nations system on internet and cyber-related matters. For example, the work on privacy in the digital age. The digital age that's being done in the human rights commission, the quite substantive work on norms, for example, the importance of the right to encryption and the right to an annul ty. These are recognitions of the human rights council but member states are making legislation at the national level that in some cases is making encryption illegal. I think these bodies, the working group and the GGE processes, really important for them to make sure that their approach to cyber security and stability harmonizes with human rights law as it's evolving and being interpreted through regards to the internet.

>> MODERATOR: Thank you very much. Any other questions? So, maybe one question to the panel, because one of the questions we may ask, we -- between ourselves agree that cyberstability is at risk. How much awareness is there among states that it's actually at risk? Clearly from the set of norms we're proposing, we're asking the states to constrain their activities and give up on some of the activities you're doing. So how do you create that incentive.

>> I actually think there is a lot of worry in states. I think the reason that there's a lot of activity in the GG, it's true, back several years ago, Russia proposed a GG and they must focus more on a cybertreaty which concerns some countries because they have a different view. But the fact they may have collaboration and we're able to agree, for instance, in the 2013GG among the experts and, again, last year, two years ago, there was an adoption in the first committee, the international law applies, need to figure out how it applies. It's certain norms or confidence building measures is the fact that the states are thinking about a stability framework is important. They recognize it's an issue. Not all states do. One of the things we need to do is do more capacity building and get more states to get to the conversation, even on the state level. Other stakeholders too. But I think states, it's oh a small group that's discussing it. So I think we need to get more into this conversation to get their views.

But, I think we're going to see that grow. I think that urgency will grow as we see more destabilizing conduct and we see what's at risk. Less worried about attention but still worried about attention beyond the cyber community. I want people 20 do policy at a large level every day, the leaders, to understand why this is important.

>> MODERATOR: You think a civil society can help to create that incentive?

>> The last few questions have led me to think that it might be useful to characterize the difference that I was postitting before in a different way. We live in glass houses. There are those who say the rock throwing should have a study. Maybe my treaty is better, maybe my treaty is better. 234 the meantime, there's no law that actually prohibits us from throwing rocks and the other 190 countries are rolling their eyes saying do we need to have this conversation when we are all living in glass houses.

>> I think my vision of what Bill just said is this notion that there are good governments and bad governments, that's not a helpful notion when we are talking about the security of the internet. The so-called good governments are often the ones that do most to violate the sense of stability. The so-called bad governments are the one s often that do the least. So it's just not a helpful concept.

I think, I'm sorry, I would say -- in response to your question, this conceptualized really what responsibility is and responsibility of different actor s but also the responsibility of states. For states, particularly, I worked with the developing country states. And to think of cybersecurity as something that has a responsibility for, they should have be in collaboration with other actors. They should see it as a part of their role but not first and foremost as a national security question only. That Politicizes the process and produces cybersecurity practices that are very political in terms of party politics, regime security, so it's not even national security, it's regime security.

And I think real collaboration, what you see in many countries is the financial services sector, for example, is investing a lot of money into ensuring more secure transactions. Credit card fraud, dealing with the financial costs of cybercrime. But they're doing it often not in collaboration with the government, not supported by government. So, I think here there's a real need for states to approach this problem in collaboration of those that are actually doing it that are losing money. And to do it in a sort of broad collaborative process. An assumption because cybersecurity so often sits in that national counterterrorism paradigm or box that it's approached in a secretive, exclusive way when, in fact, the problem can only be effectively addressed, including at the state responsibility level in collaboration with a much broader set of actors.

>> MODERATOR: Thank you. Any other questions? Maybe a question to you, Joanna, we had this conversation before. I wonder if the tools that were released including by states can be arranged, they can be reused. Can we -- or they can accidentally propagate. Can we borrow from an environmental loan now with regards to our responsibility to accountability?

>> Thank you, that's one of my favorite questions. Thank you for posing that. I love analogies. There's a lot to be learned in environmental law. I don't think it's just environmental law. To answer your questions, yes, yes. We can look at environmental laws, look at the safeguards, and I appreciate this discussion because I believe all-day threats we mentioned here, the fluctuation of norms where norms are being discussed is also very characteristic for international law. It's not set in stone. So that was a norm on state responsibility or law if you will on state responsibility. If there's a principle of due diligence. The content of that norm, the content of that law, of that principle is filled by dialogues just like this one.

So, if you were to ask me, what are states responsible for in cyberspace? I would say, well, look here, the response is we got from our audience exactly that content. International law to me is fascinating because it fluctuate s and reflects temporary evaluations. This discussion I'm having here, I'm looking forward to the IGF this year. What impact will we understand as state responsibility in 2018.

But this landscape is no longer a solitary environment for states as we just said, the responses we got to the previous question just to emphasize that the impact can be made on statees will largely be done by other stakeholders. It is about raising awareness. Business knows this. They know that security is the key to sustain ing their business. I think there's work to be done on users on both sides making them aware of how important security is and making them aware of the price they're paying. This is a human rights argument. The pressure to put on states should come from bottom up and from businesses. That's being done. That's the active countermeasures, the graph that's being now stalled, pretty much, in the U.S. legislative process.

But it's also the initiative of users to put impact on the United States to make sure they're secure and that their human rights are being protected.

>> Hi, I'm Hans lion from Georgia tech. I have a question if the changes in the U.S. affect the world situation in terms of negotiation. So the U.S. has recently proclaimed it will turn away from internationalism and towards nationalism. Adopting a more sovereignty-oriented approach. At the U.N., Trump said we don't tell you how to live, you don't tell us how to live. Does this create new openings. The U.S. takes a sovereign approach and less an international approach, does little to change the game in any way. What are the implications of this for international cooperation? Thank you.

>> So, certainly. Would say yes. My conversation -- we try to reduce international conflict between states, between not just cyberspace, but generally. So before I was in China, I was in New York. But before I was in China the last week, I was in Moscow. And I would say in general, the conversations are more challenging on cyberbecause of the larger security situation which is in part a result of the new nationalism by the U.S. and by others so we're in a difficult period. That's why I told Fredericka it will be worse before better. I think it's having a negative effect on our ability to cooperate.

>> I just say, I agree. A unilateral approach by any country is not helpful in an area that you need more international cooperation. We have had some of that. We need more.

However, I take solace in the fact that as I said this new national cyber strategy took a different tact and talked about launching the initiative and the norms. It could well have come up with a strategy saying screw the norms. We're done with that. It didn't do that. It said the norms were and would continue to be important going forward and it said to build the consequences of the deterrence, we're better acting together than alone. We're better working with other countries. That's a different approach than this more nationalistic approach. That's the way forward I hope because that's the only way to get results here.

>> A quick reaction. I think the -- the one hand, I think the notion in general that -- that the U.S. is the leader of the free world is one that I've been skeptical about for a long time. So I don't think maybe that is such a big difference. But I think what is really concerning from my perspective is that that is it's weakening and already weakening international system. It's the U.N., the mechanisms, the institutions that we have that aren't the only institutions where we really have where we can come together as a global community to address those kinds of problems.

And on losing resources, losing credibility, losing legitimacy as a result of that kind of position coming from the -- from the United States. And then to mention that the United States withdrew from the human rights commission this year. That's definitely not helpful.

>> MODERATOR: Thank you very much, that's the end of our panel. So please join me in thanking our panelists.